Maven a very useful implementation, can’t trust it yet.
Where code comes from is very important. As a developer or compnay you are utilimately repsonsibel for what you have provided your user. Recently I have been using Maven for some projects friends have asked for help on. I have always avoided use of Maven because I found the security model very weak. I would never deploy a production application using Maven without a rigorous audit of the jars it is using and by the time that is done you have lost the productivity gain. Let’s ignore what it could inject into your development environment. That was my view and still is.
How can I trust that the code I am getting is valid– Digests and trusting the people that run the repositories not good enough, need some an independent third party system.for me to ever use Maven to go from development to production without an Audit. Maven has the potential to inject one of the largest viruses in Internet History into the Internet IMO. One of the problems with all of the security models is that the security is only as good as the service provider in the end., so you need checks and process. Initially checks and processes slow things down until they are developed. What is preventing a disgruntled individual close to Maven from injecting a sleeper thread into a crtical say JSON library that one day wakes up and starts reading the disk on the servers it is on and unloading it to the internet. Even worse it does this at a very low level over several years so it is not really detected until massive amounts of data have been copied. As a professional developer there is a minimum due diligence one must apply to the components one uses to build something. This is no different than a Chef picking products for a meal. The blame game begins.
When Java first arrived there was quite a bit of discussion about trusting Mobile code I think the Mobile issue clouded things up and the Industry should have focused on code from a third party, mobile is practically the default case, trust and computing at a distance via delegation are the two issues. It is curious how know we are getting code from the Internet practically at the OS level produced by developers having dependency trees that they can’t even enumerate. See “Ultra-Large-Scale Systems Ultra-large-scale (ULS) systems will be interdependent webs of software-intensive systems, people, policies, cultures, and economics.”
- Is the access to Maven Repositories Over SSL
- Does the SSL certificate point to a document defining how the repository is managed and checked
- Are the code segments signed
- Is there a log file produced that relates where the jars came from and where the source is
- Is there one developer that verifies that the source
- What is the legal entity when of the jar files has a virus introduced by an Open Source programmer
- What is the relative risk factor of an application based on the third party code and how it was put into the system
- …. We all know how easy it is to present security issues, kind of like yelling fire or saying Sarbanes Oaxley
When I use Maven, I put all artifacts that an end user will run into my own repository and I will not use jars that do not have source that reproduce them, curiously proprietary jars don’t cause this concern for me. It would be nice if maven had a recreate system from source option and this option would produce all the documentation about the release, similar to ideas Richard Gabriel discussed in “Conscientious Software“. I am still concerned about the plugins that are loaded into my development system, I seem to have 100s of them. This has an issue also in that the source code that has been inserted into the repository does not have a history of where the change came from and who reviewed it. Do I really beleive that every open source change has been seen my more than one knowledgabel ethical person, no and that it goes into a secure trusted repository constantly monitored for fraud no. Hopefully I am wrong about all the above issues and there is active work on improving managing all the artifacts one needs to build an application. I would go as far to say that I would like to see this type of thinking in the Language.
